Centralized Identity, MFA, and PKI (Activity 1.3.1 “Organizational MFA/IdP”)   

Zero Trust all starts with strong identity. Before you can implement dynamic policies or segment access, you absolutely must have a firm grasp on who is accessing your resources and verify their identity with high assurance.  

Activity 1.3.1 “Organizational MFA/IdP” is the directive to procure and implement a centralized Identity Provider (IdP) solution and a Multi-Factor Authentication (MFA) solution. These can be a single integrated platform or separate, as long as automated integration is supported. Importantly, the IdP and MFA solution must support integration with the Enterprise Public Key Infrastructure (PKI) capability, enabling authentication using key pairs signed by trusted root certificate authorities. The immediate focus for deployment is on what are considered Mission/Task-Critical applications and services. 

To recap: you need to be using your IdP with MFA for critical applications, and your IdP must specifically enable robust, PKI-based multi-factor authentication that your organization uses. 

Solutions for Achieving Organizational MFA/IDP 

Implementing Activity 1.3.1 involves strategically selecting and deploying identity and authentication technologies and ensuring their seamless integration: 

Procurement and Implementation of a Centralized IdP and MFA: 

Choose a solution (or integrated solutions) that can serve as the central authority for managing user identities and enforcing authentication policies across the enterprise. 

The chosen solution must support a wide range of authentication factors, with a strong emphasis on phishing-resistant options. 

Ideally, select a platform that offers integrated IdP and MFA capabilities to simplify deployment and management.  If procuring separate IdP and MFA solutions, ensure they have robust, documented APIs and connectors to integrate tightly. The authentication decision needs to be seamlessly coordinated between the two. 

Integration with Enterprise PKI: 

The IdP/MFA solution must have native support for integrating with your organization’s Public Key Infrastructure (PKI).   This integration should allow users to authenticate using certificates stored on smart cards (like PIV or CAC) or other trusted devices. The solution needs to be able to validate these certificates against trusted root certificate authorities and check for their revocation status.  

Prioritized Deployment for Critical Applications: 

Focus initial integration efforts on these critical resources to immediately raise their security posture using the new centralized IdP and MFA, including PKI authentication where applicable. 

Okta and Activity 1.3.1: A Strong Platform for Centralized Identity with PKI Support 

Okta is a prime example of a platform that directly addresses the core requirements of Zero Trust Activity 1.3.1, offering a centralized IdP, robust MFA, and crucial support for PKI integration. 

Centralized IdP and Integrated MFA: Okta is a leading centralized Identity Provider with tightly integrated Multi-Factor Authentication capabilities. It provides a unified platform for identity management and a wide array of MFA factors out-of-the-box, including strong options. This satisfies the requirement for a combined or easily integrated IdP and MFA solution. 

Comprehensive MFA Options: Okta supports numerous MFA factors, allowing organizations to choose options appropriate for different user populations and risk levels. 

Direct Integration with Enterprise PKI / Smart Card Authentication: This is a key strength of Okta relevant to this activity, particularly the emphasis on PKI. Okta explicitly supports integrating with Enterprise PKI to enable certificate-based authentication using smart cards like PIV and CAC. It allows you to configure a Smart Card Identity Provider within Okta, upload trusted certificate chains, and validate certificates during the authentication process.  

Policy-Driven Authentication: Okta’s policy framework allows administrators to mandate the use of specific authentication factors, including Smart Card/PKI, for designated groups of users or when accessing critical applications. This helps ensure that “Component is using IdP with MFA for critical applications/services” and that the required PKI MFA is enforced. 

User and Group Management: Okta provides robust capabilities for managing users and groups, which are then used by critical applications leveraging the IdP for access control. 

The Technical Buyer’s Mandate: 

Activity 1.3.1 is foundational – It’s about choosing and implementing the core identity and authentication infrastructure that will underpin your entire Zero Trust strategy. A centralized IdP with integrated, strong MFA (especially PKI support for environments like the DoD) is non-negotiable. Selecting a platform like Okta provides a mature, integrated solution that directly addresses these requirements. Its ability to handle the complexities of PKI authentication alongside other modern MFA factors, all managed from a central point, simplifies deployment for critical applications and establishes the high assurance identity verification needed to build trust signals for more advanced Zero Trust capabilities down the line. Don’t underestimate the importance of getting this step right; it’s the bedrock upon which your entire Zero Trust security posture will be built. 

Pillar: User 

Capability: 1.3 Multi-Factor Authentication (MFA) 

Activity: 1.3.1 Organizational MFA/IDP 

Phase: Target Level  

Predecessor(s): None 

Successor(s): None